Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

VPN and NAT

0 views
Skip to first unread message

Marko Laurits

unread,
Feb 16, 2000, 3:00:00 AM2/16/00
to
Hello world!

Has anyone made a VPN over Internet so that the routers also would perform
NAT that the workstations could access the Internet? If yes, does everything
work correctly? My experience is that both operations (NAT and IPSEC
tunnelling) don't work correctly at the same time.

-» Marko «-

Ron Griffin

unread,
Feb 16, 2000, 3:00:00 AM2/16/00
to
Marko Laurits wrote:

That is true. IPsec rules are such that both end-points on the VPN must have
public IP addresses. While running NAT there is no way for the security
software to guarantee delivery to a NATed address, so IPsec doesn't allow it.

Ron

Marko Laurits

unread,
Feb 16, 2000, 3:00:00 AM2/16/00
to
Hello Ron Griffin!

> That is true. IPsec rules are such that both end-points on the VPN must
> have public IP addresses. While running NAT there is no way for the

That's not the problem. Cisco routers have public addresses and workstations
behind them have private addresses. All pings go through and theoretically it
works. Practically it doesn't operate very correctly. Therefore, I'm
interested in exchanging experiences if someone has similar systems.

-» Marko «-

Gernot W. Schmied

unread,
Feb 16, 2000, 3:00:00 AM2/16/00
to
Hi folks,

Hiding NAT won't work.
Static NAT works.

Cheers,
Gernot

Chris Mott

unread,
Feb 22, 2000, 3:00:00 AM2/22/00
to
On Wed, 16 Feb 2000 10:11:19 +0200, Marko Laurits
<marko....@datel.ee> wrote:

>Hello world!
>
>Has anyone made a VPN over Internet so that the routers also would perform
>NAT that the workstations could access the Internet? If yes, does everything
>work correctly? My experience is that both operations (NAT and IPSEC
>tunnelling) don't work correctly at the same time.
>
>-» Marko «-


poopycock and hogwash ! of course it works ! it will NOT work with
PAT, as both the VPN tunnel end point and inside users would be
fighting for use of the IP address ... bad news ... otherwise,
remember that the VPN tunnel endpoint is the outside address of the
router, most likely a serial interface ... the other addresses from
your ISP allotment are used for NAT ... the problem might be in your
crypto assignment for traffic ... you must tell the router to which
destination address to send the VPN traffic ... think of it like a
dialer-group command, where you're defining "interesting" traffic for
a dialer interface... all other traffic, that not destined for the
other side of the tunnel, is sent out the Internet ... look at the
subnet of the other side and define you interesting traffic that way
...

HTH & GL

**************************************************
Chris Mott, CCDA, CCNP
Strategic Consulting Group
cm...@home.com

"Nothing is impossible with heart, soul, hard
work, perseverance, and the love of a good
woman. Lots of money helps, though."
**************************************************

0 new messages